Quickstart: Cursor and other IDE clients
Use a remote streamable-HTTP configuration when your IDE can attach static headers. Use a local stdio bridge when it cannot. In both cases, the current InBlack MCP surface requires an already-issued ZITADEL bearer token and explicit tenant context.
Required values
URL: https://ai-coo.inblack.app/mcpAuthorization: Bearer <zitadel-access-token>X-Tenant-ID: <tenant-id>The bearer token expires and must be replaced. Store it in the client’s supported secret or environment mechanism; do not commit MCP configuration containing a token.
Cursor
Cursor supports project configuration at .cursor/mcp.json and global configuration at ~/.cursor/mcp.json. A remote entry has this shape:
{ "mcpServers": { "inblack": { "type": "http", "url": "https://ai-coo.inblack.app/mcp", "headers": { "Authorization": "Bearer ${env:INBLACK_ACCESS_TOKEN}", "X-Tenant-ID": "${env:INBLACK_TENANT_ID}" } } }}Make both environment variables available to the Cursor process before launch. If the installed Cursor release does not resolve headers reliably, use the stdio bridge below.
Zed
Open the Agent Panel’s MCP settings and add a custom remote server, or add this to Zed settings:
{ "context_servers": { "inblack": { "url": "https://ai-coo.inblack.app/mcp", "headers": { "Authorization": "Bearer <zitadel-access-token>", "X-Tenant-ID": "<tenant-id>" } } }}Zed only starts its standard MCP OAuth flow when no Authorization header is configured. InBlack’s current bearer-token runtime requires the header form shown above.
Stdio bridge fallback
For an IDE that only accepts a local command, use mcp-remote with explicit headers:
{ "mcpServers": { "inblack": { "command": "npx", "args": [ "-y", "mcp-remote@latest", "https://ai-coo.inblack.app/mcp", "--transport", "http-only", "--header", "Authorization:${INBLACK_AUTH_HEADER}", "--header", "X-Tenant-ID:${INBLACK_TENANT_ID}" ], "env": { "INBLACK_AUTH_HEADER": "Bearer <zitadel-access-token>", "INBLACK_TENANT_ID": "<tenant-id>" } } }}Fit the entry into the IDE’s documented MCP wrapper. Do not remove http-only: the InBlack SSE and messages transports are retired.
Verify
- Confirm the server reports active.
- List tools and verify the response is tenant-filtered.
- Call a T1 read with a small result limit.
- Call a simulate tool before testing a write.
- Handle
INBLACK_CONFIRMATION_REQUIREDand structuredINBLACK_*errors.
After changing X-Tenant-ID, restart or reconnect the server and run discovery again. A tenant header selects context but never grants membership.